Help with network setup

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Help with network setup

t0ny

306 posts

Ultimate Geek

Lifetime subscriber

#236053 15-May-2018 19:57

Hi, i have been stuffing around with my working network to make administration a bit easier. How i would like it to work is have my ER Lite setup so it becomes the DHCP for all my vlans and then have the cambium access points centrally managed via the cloud admin tool. My problem at the moment is that everything on VLAN 1 is working fine but a seperate VLAN (30) does not appear to work as expected. The wifi client just gets stuck on trying to retrieve IP .

The E600 is set up as follows:

ACL:

Trunk:

VLAN:

On my DLINK switch:

And finally, on the erlite:


 
firewall {
all-ping enable
broadcast-ping disable
group {
network-group IOT_VLAN_BLOCK_NETS {
description "Drop IoT traffic to other VLANs"
network 192.168.1.0/24
network 192.168.20.0/24
}
network-group LAN_NETWORKS {
description "RFC1918 LAN Networks"
network 192.168.0.0/16
network 172.16.0.0/12
network 10.0.0.0/8
}
network-group VIDEO_VLAN_BLOCK_NETS {
description "Drop Video Camera traffic to other VLANs"
network 192.168.20.0/24
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable

name IOT_WIFI_PROTECT_IN {
default-action accept
rule 10 {
action accept
description "Accept IoT WiFi Established/Related"
protocol all
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop IOT_VLAN_BLOCK_NETS"
destination {
group {
network-group IOT_VLAN_BLOCK_NETS
}
}
protocol all
}
}
name IOT_WIFI_PROTECT_LOCAL {
default-action drop
rule 10 {
action accept
description "Accept DNS"
destination {
port 53
}
protocol udp
}
rule 20 {
action accept
description "Accept DHCP"
destination {
port 67
}
protocol udp
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}

rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Internet (PPPoE)"
duplex auto
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto

}
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
vif 30 {
address 192.168.30.1/24
description IoT
firewall {
in {
name IOT_WIFI_PROTECT_IN
}
local {
name IOT_WIFI_PROTECT_LOCAL
}
}
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
disable
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
wan-interface eth0
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
domain-name xxxxxl
lease 86400
start 192.168.1.38 {
stop 192.168.1.243
}
}
}
shared-network-name VLAN30_IOT {
authoritative disable
subnet 192.168.30.0/24 {
default-router 192.168.30.1
dns-server 192.168.30.1
lease 86400
start 192.168.30.50 {
stop 192.168.30.100
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 400
listen-on eth1
listen-on eth1.30
name-server 192.168.1.1
name-server 1.1.1.1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 1 {
description "DNS Redirection"
destination {
port 53
}
inbound-interface eth1
inside-address {
address 192.168.1.1
port 53
}
log disable
protocol tcp_udp
source {
address 192.168.1.2-192.168.1.254
}
type destination
}
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}

Please advise.

Image already added

freakngeek

348 posts

Ultimate Geek

#2016538 15-May-2018 21:41

I see above you are trying to force DNS to the router ?
I do it this way:

nat {
rule 4000 {
description "Policy DNAT: Force LAN DNS Requests to Router"
destination {
address !192.168.0.1
port 53
}
inbound-interface eth1
inside-address {
address 192.168.0.1
}
log disable
protocol tcp_udp
type destination
}

And you can set an IP to ignore that rule with this:

rule 4010 {
description "OpenDNS for 192.168.0.6"
destination {
address !192.168.0.6
port 53
}
inbound-interface eth1
inside-address {
address 208.67.222.222
}
log disable
protocol tcp_udp
type destination
}

Eth0 = WAN, Eht1 = LAN
IP 192.168.0.6 uses OpenDNS DNS server every body else is forced to use System DNS servers

Probably won't help your issue above

I'm thinking VLAN issue somewhere along the line as Firewall looks correct

cyril7

7752 posts

Uber Geek

Trusted

Subscriber

#2016597 16-May-2018 06:45

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

Edit: also on the Dlink, is there a trunk port to connect to Eth1 of the ER, the config as shown does not show that. And, the WAP I assume this is on port2 of the switch, so whats the mgmt vlan of the WAP, it is common (but not always) that vlan1(untagged) is your mgmt vlan and user traffic is tagged, in your case 30.

Cyril

freakngeek

348 posts

Ultimate Geek

#2016601 16-May-2018 07:08

cyril7:

Hi, without looking through all of that config, why has vlan30 on the ER not being assigned an IP address, I doubt it will pick it up from its own DHCP server, as it is, it will not route.

So assign it as static (192.168.30.1) and then set the DHCP server pool to give that IP as the vlan30 gateway and adjust the pool to .10 - .250 or something like that.

Having never used an ER I am not sure what the config options are, but as it currently is there is no gateway for the vlan so the DHCP server on that network will not work properly.

Cyril

I think:

default-router 192.168.30.1

Takes care of that

My thoughts are some where the VLAN is not right, either on AP or Switch as ERL3 looks right

cyril7

7752 posts

Uber Geek

Trusted

Subscriber

#2016623 16-May-2018 08:15

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

Cyril

cyril7

7752 posts

Uber Geek

Trusted

Subscriber

#2016624 16-May-2018 08:15

Doh, missed that, there are mulitple stanza's that could probably be better in one that distributed across multiple entries, so makes it a bit cumbersome to read.

Cyril

t0ny

306 posts

Ultimate Geek

Lifetime subscriber

#2016640 16-May-2018 08:46

Thanks everyone, iam starting to lean towards a switch issue. The dlink appears to lock up if i attempt to use 802.1Q and a hard reset is the only thing that gets it working again. Will pick up a unifi switch this afternoon and give it another go.

Image already added

t0ny

306 posts

Ultimate Geek

Lifetime subscriber

#2017221 16-May-2018 21:30

Quick update..set up vlan trunking on my new unifi switch and it worked as expected. Is there a way to configure the unifi so only the cambium is allowed to patch into that port? Want to stop ppl from just pluggin in their laptop :)

Image already added

cyril7

7752 posts

Uber Geek

Trusted

Subscriber

#2017277 17-May-2018 06:24

Hi, you could use mac-filtering, alternatively most of us lock the cabinets.

Cyril